Skip to content

Checks if the password for each WordPress user account has been compromised via haveibeenpwned.com

Notifications You must be signed in to change notification settings

coenjacobs/wp-haveibeenpwned

Repository files navigation

Have I Been Pwned

This WordPress plugin checks if the password for each user account has been compromised via haveibeenpwned.com, as soon as the user logs in. This will never send the actual password of your users, but it rather fetches a list to do the check locally. If the users password appears to be compromised, the user will be notified via an admin notice.

How does this work?

When a user logs in, the first five characters of the hash made of a password are sent to the haveibeenpwned.com API. This API then returns a list of hashes of compromised passwords, all starting with the five characters provided. The check to see if the actual password used is on the list, is done locally and the password of the user is never being posted anywhere. Not even in hashed form.

What is haveibeenpwned.com?

The website haveibeenpwned allows everyone to easily search through compromised sets of data, often sourced from leaked or hacked data. This data often contains usernames, passwords, email addresses and other personal data. Troy Hunt is a well known security researcher and makes this data available for anyone to search and check if their data is potentially being compromised.

About

Checks if the password for each WordPress user account has been compromised via haveibeenpwned.com

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages